Louhi Networks Oy
-= Security Advisory =-
Advisory: Zyxel Zywall 2 Multiple vulnerabilities
Release Date: 2007-08-10
Last Modified: 2007-08-10
Authors: Henri Lindberg, Associate of (ISC)²
[henri.lindberg@louhi.fi]
Application: ZyNOS Firmware Version: V3.62(WK.6) | 06/16/2004
Devices: Zyxel Zywall2 (possibly all other Zyxel devices using
the same firmware)
Severity: Moderate
Impact: Persistent cross site scripting, cross site request
forgery, persistant denial of service
Vendor Status: Vendor notified
References: http://www.louhinetworks.fi/advisory/zyxel_070810.txt
Overview:
During an audit of Zyxel Zywall 2 it was discovered that a cross
site request forgery and persistent cross site scripting
vulnerability exists in the management interface. Thus, it is
possible for an attacker to perform any administrative actions in
the management interface, if a logged-in/authenticated user has been
enticed to visit a malicious web site. These actions include e.g.
changing dns server address or other security critical configuration
items.
It was also discovered that it is possible to "brick" the device by
submitting invalid configuration to the device, thus performing a
persistant denial of service attack against it.
Details:
Embedded device management interface does not validate the origin
of an HTTP request. If attacker is able to make an authenticated
user visit a hostile web page, a device can be controlled by
submitting suitable forms. It is possible to steal information from
the device and modify the configuration. See provided
proof-of-concept code for more information.
Successful attack requires that the attacker knows the management
interface address for the target device. As the management interface
is most usually located at the default IP address and might even have
default password in place, performing an successful attack is not far
fetched.
By submitting invalid configuration to the management interface it is
possible to perform a persistant denial of service attack against the
device. After receiving invalid configuration, the device will reboot
and enter an infinite reboot loop. Powering off the device, or
pressing reset button will not help. It has not been researched if
the device can be restored from this state (it does not have any
reset jumpers or battery powered memory). From an ordinary consumer's
point-of-view, the device is compeletely useless. No proof-of-concept
code will be released, but finding this vulnerability is trivial.
More information:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Proof of Concept:
Include a random user-specific token in forms.
Example form (exploits persistent XSS):